SCAP Evaluation Report

About profile


CIS Red Hat OpenShift Container Platform 4 Benchmark
This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V1.4. This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. Note that this part of the profile is meant to run on the Platform that Red Hat OpenShift Container Platform 4 runs on top of. This profile is applicable to OpenShift versions 4.10 and greater.

Compliance and Scoring


Danger alert: The target system did not satisfy the conditions of 7 rules!

Please review rule results and consider applying remediation.

Rule results


76 Pass
7 Fail
25 Other

Severity of failed rules


6 Medium
1 High

Score 

84.90 of 100.00



Rule Overview



RuleSeverityResult
mediumnotchecked

Rule ID:

xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens

Result:

notchecked

Time:

2023-10-15T17:57:56+00:00

Description:
Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server. To ensure pods do not automatically mount tokens, set automountServiceAccountToken to false.
Rationale:

Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster.

Severity:

medium

References:

Messages:

Message: Message:

No candidate or applicable check found.

Warning alert: There is no OVAL definition.

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
mediumnotchecked

Rule ID:

xccdf_org.ssgproject.content_rule_accounts_unique_service_account

Result:

notchecked

Time:

2023-10-15T17:57:56+00:00

Description:
Using the default service account prevents accurate application rights review and audit tracing. Instead of default, create a new and unique service account with the following command:
$ oc create sa service_account_name
where service_account_name is the name of a service account that is needed in the project namespace.
Rationale:

Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. This increases auditability of service account rights and access making it easier and more accurate to trace potential malicious behaviors to a specific service account and project.

Severity:

medium

References:

Messages:

Message: Message:

No candidate or applicable check found.

Warning alert: There is no OVAL definition.

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwaysadmit

Result:

pass

Time:

2023-10-15T17:57:56+00:00

Description:
To ensure OpenShift only responses to requests explicitly allowed by the admission control plugin. Check that the config ConfigMap object does not contain the AlwaysAdmit plugin.
Rationale:

Enabling the admission control plugin AlwaysAdmit allows all requests and does not provide any filtering.

Severity:

medium

Identifiers:

CCE-84148-6

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson]{{else}}[.data."config.yaml" | fromjson]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_admission_control_plugin_alwaysadmit:def:1

Class:

compliance

Title:

Disable the AlwaysAdmit Admission Control Plugin

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["enable-admission-plugins"][:]' all: value equals '^AlwaysAdmit$'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_admission_control_plugin_alwaysadmit:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
highpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwayspullimages

Result:

pass

Time:

2023-10-15T17:57:56+00:00

Description:
The AlwaysPullImages admission control plugin should be disabled, since it can introduce new failure modes for control plane components if an image registry is unreachable.
Rationale:

Setting admission control policy to AlwaysPullImages forces every new pod to pull the required images every time. In a multi-tenant cluster users can be assured that their private images can only be used by those who have the credentials to pull them. Without this admission control policy, once an image has been pulled to a node, any pod from any user can use it simply by knowing the image’s name, without any authorization check against the image ownership. When this plug-in is enabled, images are always pulled prior to starting containers, which means valid credentials are required. However, turning on this admission plugin can introduce new kinds of cluster failure modes. OpenShift 4 master and infrastructure components are deployed as pods. Enabling this feature can result in cases where loss of contact to an image registry can cause a redeployed infrastructure pod (oauth-server for example) to fail on an image pull for an image that is currently present on the node. We use PullIfNotPresent so that a loss of image registry access does not prevent the pod from starting. If it becomes PullAlways, then an image registry access outage can cause key infrastructure components to fail. The pull policy can be managed per container, using imagePullPolicy.

Severity:

high

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson]{{else}}[.data."config.yaml" | fromjson]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_admission_control_plugin_alwayspullimages:def:1

Class:

compliance

Title:

Ensure that the Admission Control Plugin AlwaysPullImages is not set

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["enable-admission-plugins"][:]' all: value equals '^AlwaysPullImages$'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_admission_control_plugin_alwayspullimages:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_namespacelifecycle

Result:

pass

Time:

2023-10-15T17:57:56+00:00

Description:
OpenShift enables the NamespaceLifecycle plugin by default.
Rationale:

Setting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of new objects.

Severity:

medium

Identifiers:

CCE-83854-0

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_admission_control_plugin_namespacelifecycle:def:1

Class:

compliance

Title:

Enable the NamespaceLifecycle Admission Control Plugin

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^NamespaceLifecycle$'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_admission_control_plugin_namespacelifecycle:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_noderestriction

Result:

pass

Time:

2023-10-15T17:57:56+00:00

Description:
To limit the Node and Pod objects that a kubelet could modify, ensure that the NodeRestriction plugin on kubelets is enabled in the api-server configuration by running the following command:
$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '.data."config.yaml"' | jq '.apiServerArguments."enable-admission-plugins"'
Rationale:

Using the NodeRestriction plugin ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.

Severity:

medium

Identifiers:

CCE-83753-4

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_admission_control_plugin_noderestriction:def:1

Class:

compliance

Title:

Enable the NodeRestriction Admission Control Plugin

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^NodeRestriction$'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_admission_control_plugin_noderestriction:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_scc

Result:

pass

Time:

2023-10-15T17:57:56+00:00

Description:
To ensure pod permissions are managed, make sure that the SecurityContextConstraint admission control plugin is used.
Rationale:

A Security Context Constraint is a cluster-level resource that controls the actions which a pod can perform and what the pod may access. The SecurityContextConstraint objects define a set of conditions that a pod must run with in order to be accepted into the system. Security Context Constraints are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions.

Severity:

medium

Identifiers:

CCE-83602-3

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_admission_control_plugin_scc:def:1

Class:

compliance

Title:

Enable the SecurityContextConstraint Admission Control Plugin

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^security.openshift.io/SecurityContextConstraint$'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_admission_control_plugin_scc:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_service_account

Result:

pass

Time:

2023-10-15T17:57:56+00:00

Description:
To ensure ServiceAccount objects must be created and granted before pod creation is allowed, follow the documentation and create ServiceAccount objects as per your environment. Ensure that the plugin is enabled in the api-server configuration:
$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '.data."config.yaml"' | jq '.apiServerArguments."enable-admission-plugins"'
Rationale:

When a pod is created, if a service account is not specified, the pod is automatically assigned the default service account in the same namespace. OpenShift operators should create unique service accounts and let the API Server manage its security tokens.

Severity:

medium

Identifiers:

CCE-83791-4

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_admission_control_plugin_service_account:def:1

Class:

compliance

Title:

Enable the ServiceAccount Admission Control Plugin

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^ServiceAccount$'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_admission_control_plugin_service_account:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_anonymous_auth

Result:

pass

Time:

2023-10-15T17:57:56+00:00

Description:
By default, anonymous access to the OpenShift API is enabled, but at the same time, all requests must be authorized. If no authentication mechanism is used, the request is assigned the system:anonymous virtual user and the system:unauthenticated virtual group. This allows the authorization layer to determine which requests, if any, is an anonymous user authorized to make. To verify the authorization rules for anonymous requests run the following:
$ oc describe clusterrolebindings
and inspect the bindings of the system:anonymous virtual user and the system:unauthenticated virtual group. To test that an anonymous request is authorized to access the readyz endpoint, run:
$ oc get --as="system:anonymous" --raw='/readyz?verbose'
In contrast, a request to list all projects should not be authorized:
$ oc get --as="system:anonymous" projects
Rationale:

When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the API server. If you are using RBAC authorization, it is generally considered reasonable to allow anonymous access to the API Server for health checks and discovery purposes, and hence this recommendation is not scored. However, you should consider whether anonymous discovery is an acceptable risk for your purposes.

Severity:

medium

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/rbac.authorization.k8s.io/v1/clusterrolebindings API endpoint to the local /kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterrolebindings file.

OVAL definition:

Definition ID:

oval:ssg-api_server_anonymous_auth:def:1

Class:

compliance

Title:

Ensure that anonymous requests to the API Server are authorized

Description:

In the YAML/JSON file '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings' at path '.items[:]['subjects'][:].name' at least one: value equals 'system:unauthenticated'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_anonymous_auth:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_api_priority_gate_enabled

Result:

pass

Time:

2023-10-15T17:57:56+00:00

Description:
To limit the rate at which the API Server accepts requests, make sure that the API Priority and Fairness feature is enabled. Using APIPriorityAndFairness feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. To enable the APIPriorityAndFairness feature gate, make sure that the feature-gates API server argument, typically set in the config configMap in the openshift-kube-apiserver namespace contains APIPriorityAndFairness=true. Note that since Kubernetes 1.20, this feature gate is enabled by default. As a result, this rule is only applicable to OpenShift releases prior to 4.7 which was the first OCP release to ship Kubernetes 1.20.
Rationale:

The APIPriorityAndFairness feature gate enables the use of the FlowSchema API objects which enforce a limit on the number of events that the API Server will accept in a given time slice In a large multi-tenant cluster, there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. It is recommended to limit the rate of events that the API Server will accept.

Severity:

medium

Identifiers:

CCE-83656-9

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/operator.openshift.io/v1/kubeapiservers/cluster API endpoint to the local /kubernetes-api-resources/apis/operator.openshift.io/v1/kubeapiservers/cluster file.

OVAL definition:

Definition ID:

oval:ssg-api_server_api_priority_gate_enabled:def:1

Class:

compliance

Title:

Enable the APIPriorityAndFairness feature gate

Description:

In the YAML/JSON file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' at path '.spec.observedConfig.apiServerArguments["feature-gates"][:]' all: value equals '^APIPriorityAndFairness=true$'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_api_priority_gate_enabled:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
#ocp4.6
lowpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_audit_log_maxbackup

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To configure how many rotations of audit logs are retained, edit the openshift-kube-apiserver configmap and set the audit-log-maxbackup parameter to 10 or to an organizationally appropriate value:
"apiServerArguments":{
  ...
  "audit-log-maxbackup": [10],
  ...
Rationale:

OpenShift automatically rotates the log files. Retaining old log files ensures OpenShift Operators will have sufficient log data available for carrying out any investigation or correlation. For example, if the audit log size is set to 100 MB and the number of retained log files is set to 10, OpenShift Operators would have approximately 1 GB of log data to use during analysis.

Severity:

low

Identifiers:

CCE-83739-3

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_audit_log_maxbackup:def:1

Class:

compliance

Title:

Configure the Kubernetes API Server Maximum Retained Audit Logs

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["audit-log-maxbackup"][:]' at least one: value equals '10'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_audit_log_maxbackup:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_audit_log_maxsize

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To rotate audit logs upon reaching a maximum size, edit the openshift-kube-apiserver configmap and set the audit-log-maxsize parameter to an appropriate size in MB. For example, to set it to 100 MB:
"apiServerArguments":{
  ...
  "audit-log-maxsize": ["100"],
  ...
Rationale:

OpenShift automatically rotates log files. Retaining old log files ensures that OpenShift Operators have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, there would be approximately 1 GB of log data available for use in analysis.

Severity:

medium

Identifiers:

CCE-83607-2

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_audit_log_maxsize:def:1

Class:

compliance

Title:

Configure Kubernetes API Server Maximum Audit Log Size

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["audit-log-maxsize"][:]' at least one: value equals '100'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_audit_log_maxsize:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
highpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_audit_log_path

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To enable auditing on the Kubernetes API Server, the audit log path must be set. Edit the openshift-kube-apiserver configmap and set the audit-log-path to a suitable path and file where audit logs should be written. For example:
"apiServerArguments":{
  ...
  "audit-log-path":"/var/log/kube-apiserver/audit.log",
  ...
Rationale:

Auditing of the Kubernetes API Server is not enabled by default. Auditing the API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by users, administrators, or other system components.

Severity:

high

Identifiers:

CCE-84020-7

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_audit_log_path:def:1

Class:

compliance

Title:

Configure the Audit Log Path

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["audit-log-path"][:]' at least one: value equals '.+'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_audit_log_path:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_auth_mode_no_aa

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
Do not always authorize all requests.
Rationale:

The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.

Severity:

medium

Identifiers:

CCE-84207-0

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson]{{else}}[.data."config.yaml" | fromjson]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_auth_mode_no_aa:def:1

Class:

compliance

Title:

The authorization-mode cannot be AlwaysAllow

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["authorization-mode"][:]' all: value equals 'AlwaysAllow'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_auth_mode_no_aa:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_auth_mode_rbac

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To ensure OpenShift restricts different identities to a defined set of operations they are allowed to perform, check that the API server's authorization-mode configuration option list contains RBAC.
Rationale:

Role Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. Enabling RBAC is critical in regulating access to an OpenShift cluster as the RBAC rules specify, given a user, which operations can be executed over a set of namespaced or cluster-wide resources.

Severity:

medium

Identifiers:

CCE-84102-3

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_auth_mode_rbac:def:1

Class:

compliance

Title:

Ensure authorization-mode RBAC is configured

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["authorization-mode"][:]' at least one: value equals 'RBAC'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_auth_mode_rbac:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_basic_auth

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
Basic Authentication should not be used for any reason. If needed, edit API Edit the openshift-kube-apiserver configmap and remove the basic-auth-file parameter:
"apiServerArguments":{
  ...
  "basic-auth-file":[
    "/path/to/any/file"
  ],
  ...
Alternate authentication mechanisms such as tokens and certificates will need to be used. Username and password for basic authentication will be disabled.
Rationale:

Basic authentication uses plaintext credentials for authentication. Currently the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API Server. The Basic Authentication is currently supported for convenience and is not intended for production workloads.

Severity:

medium

Identifiers:

CCE-83936-5

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_basic_auth:def:1

Class:

compliance

Title:

Disable basic-auth-file for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[:]' all: key 'basic-auth-file' value equals ''

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_basic_auth:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
lowpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_bind_address

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
The bindAddress is set by default to 0.0.0.0:6443, and listening with TLS enabled.
Rationale:

The OpenShift API server is served over HTTPS with authentication and authorization; the secure API endpoint is bound to 0.0.0.0:6443 by default. In OpenShift, the only supported way to access the API server pod is through the load balancer and then through the internal service. The value is set by the bindAddress argument under the servingInfo parameter.

Severity:

low

Identifiers:

CCE-83646-0

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_bind_address:def:1

Class:

compliance

Title:

Ensure that the bindAddress is set to a relevant secure port

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.servingInfo["bindAddress"]' all: value equals '(.+)'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_bind_address:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_client_ca

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
Certificates must be provided to fully setup TLS client certificate authentication. To ensure the API Server utilizes its own TLS certificates, the clientCA must be configured. Verify that servingInfo has the clientCA configured in the openshift-kube-apiserverconfig configmap to something similar to:
"apiServerArguments": {
  ...
    "client-ca-file": [
      "/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"
    ],
  ...
Rationale:

API Server communication contains sensitive parameters that should remain encrypted in transit. Configure the API Server to serve only HTTPS traffic. If -clientCA is set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.

Severity:

medium

Identifiers:

CCE-84284-9

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["client-ca-file"]) | .apiServerArguments["client-ca-file"][] | select(test("/etc/kubernetes/certs/client-ca/ca.crt"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["client-ca-file"]) | .apiServerArguments["client-ca-file"][] | select(test("{{.var_apiserver_client_ca}}"))]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#d56e72c377d8f85e0601a704d4218064a0ea4a2235ceee82d20db6cdafc74608 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_client_ca:def:1

Class:

compliance

Title:

Configure the Client Certificate Authority for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#d56e72c377d8f85e0601a704d4218064a0ea4a2235ceee82d20db6cdafc74608' at path '[:]' all: value equals '(.*?)'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_client_ca:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumfail

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher

Result:

fail

Time:

2023-10-15T17:57:57+00:00

Description:

When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:

  • Secrets
  • ConfigMaps
  • Routes
  • OAuth access tokens
  • OAuth authorize tokens

When you enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an etcd backup.

To ensure the correct cipher, set the encryption type aescbc in the apiserver object which configures the API server itself.

spec:
  encryption:
    type: aescbc

For more information, follow the relevant documentation.

Rationale:

etcd is a highly available key-value store used by OpenShift deployments for persistent storage of all REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures. Where etcd encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, aescbc is the only type supported by OCP.

Severity:

medium

Identifiers:

CCE-83585-0

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}{{else}}/apis/config.openshift.io/v1/apiservers/cluster{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.spec.secretEncryption.type]{{else}}[.spec.encryption.type]{{end}} and persist it to the local /kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster#a1d4b20a86b76e7e2d634dbeff420b1a80df6800836dad1b552314d1b24a18cb file.

Remediation Kubernetes snippet
---
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  name: cluster
spec:
  encryption:
    type: "{{.var_apiserver_encryption_type}}"

OVAL definition:

Definition ID:

oval:ssg-api_server_encryption_provider_cipher:def:1

Class:

compliance

Title:

Configure the Encryption Provider Cipher

Description:

In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster#a1d4b20a86b76e7e2d634dbeff420b1a80df6800836dad1b552314d1b24a18cb' at path '[:]' all: value equals 'aescbc|aesgcm'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_encryption_provider_cipher:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_etcd_ca

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To ensure etcd is configured to make use of TLS encryption for client connections, follow the OpenShift documentation and setup the TLS connection between the API Server and etcd. Then, verify that apiServerArguments has the etcd-cafile configured in the openshift-kube-apiserverconfig configmap to something similar to:
"apiServerArguments": {
  ...
    "etcd-cafile": [
        "/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"
    ],
  ...
Rationale:

etcd is a highly-available key-value store used by OpenShift deployments for persistent storage of all REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API Server to identify itself to the etcd server using a SSL Certificate Authority file.

Severity:

medium

Identifiers:

CCE-84216-1

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["etcd-cafile"]) | .apiServerArguments["etcd-cafile"][] | select(test("/etc/kubernetes/certs/etcd-ca/ca.crt"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["etcd-cafile"]) | .apiServerArguments["etcd-cafile"][] | select(test("{{.var_apiserver_etcd_ca}}"))]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#33769e7a3c14dd6dc237eb2b13a72140eeadf2ce49578f57bc9e0fd096cf4e9a file.

OVAL definition:

Definition ID:

oval:ssg-api_server_etcd_ca:def:1

Class:

compliance

Title:

Configure the etcd Certificate Authority for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#33769e7a3c14dd6dc237eb2b13a72140eeadf2ce49578f57bc9e0fd096cf4e9a' at path '[:]' all: value equals '(.*?)'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_etcd_ca:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_etcd_cert

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To ensure etcd is configured to make use of TLS encryption for client communications, follow the OpenShift documentation and setup the TLS connection between the API Server and etcd. Then, verify that apiServerArguments has the etcd-certfile configured in the openshift-kube-apiserver configmap to something similar to:
...
"etcd-certfile": [
    "/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"
],
...
Rationale:

etcd is a highly-available key-value store used by OpenShift deployments for persistent storage of all REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API Server to identify itself to the etcd server using a client certificate and key.

Severity:

medium

Identifiers:

CCE-83876-3

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_etcd_cert:def:1

Class:

compliance

Title:

Configure the etcd Certificate for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["etcd-certfile"][:]' all: value equals '.*\.crt'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_etcd_cert:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_etcd_key

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To ensure etcd is configured to make use of TLS encryption for client communications, follow the OpenShift documentation and setup the TLS connection between the API Server and etcd. Then, verify that apiServerArguments has the etcd-keyfile configured in the openshift-kube-apiserver configmap to something similar to:
...
"etcd-keyfile": [
    "/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"
],
...
Rationale:

etcd is a highly-available key-value store used by OpenShift deployments for persistent storage of all REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API Server to identify itself to the etcd server using a client certificate and key.

Severity:

medium

Identifiers:

CCE-83546-2

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_etcd_key:def:1

Class:

compliance

Title:

Configure the etcd Certificate Key for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["etcd-keyfile"][:]' all: value equals '.*\.key'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_etcd_key:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
The kube-apiserver ensures https to the kubelet by default. The apiserver flag "--kubelet-https" is deprecated and should be either set to "true" or omitted from the argument list.
Rationale:

Connections from the kube-apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.

Severity:

medium

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_https_for_kubelet_conn:def:1

Class:

compliance

Title:

Ensure that the --kubelet-https argument is set to true

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[:]' all: key 'kubelet-https' value equals ''

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_https_for_kubelet_conn:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_insecure_bind_address

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
OpenShift should not bind to non-loopback insecure addresses. Edit the openshift-kube-apiserver configmap and remove the insecure-bind-address if it exists:
"apiServerArguments":{
  ...
  "insecure-bind-address":[
    "127.0.0.1"
  ],
  ...
Rationale:

If the API Server is bound to an insecure address the installation would be susceptible to unauthenticated and unencrypted access to the master node(s). The API Server does not perform authentication checking for insecure binds and the traffic is generally not encrypted.

Severity:

medium

Identifiers:

CCE-83955-5

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson | .apiServerArguments{{else}}.data."config.yaml" | fromjson | .apiServerArguments{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#95b5b27bb6ea2b122e810c99c17c2430c4845596942804847dd677557cfed88e file.

OVAL definition:

Definition ID:

oval:ssg-api_server_insecure_bind_address:def:1

Class:

compliance

Title:

Disable Use of the Insecure Bind Address

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#95b5b27bb6ea2b122e810c99c17c2430c4845596942804847dd677557cfed88e' at path '.apiServerArguments[:]' all: value equals 'insecure-bind-address'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_insecure_bind_address:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumnotapplicable

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_insecure_port

Result:

notapplicable

Time:

2023-10-15T17:57:57+00:00

Description:
By default, traffic for the OpenShift API server is served over HTTPS with authentication and authorization, and the secure API endpoint is bound to 0.0.0.0:8443. To ensure that the insecure port configuration has not been enabled, the insecure-port parameter should be set to 0. Edit the openshift-kube-apiserver configmap and change the insecure-port value to 0:
"apiServerArguments":{
  ...
  "insecure-port":[
    "1234"
  ],
  ...
Rationale:

Configuring the API Server on an insecure port would allow unauthenticated and unencrypted access to your master node(s). It is assumed firewall rules will be configured to ensure this port is not reachable from outside the cluster, however as a defense in depth measure, OpenShift should not be configured to use insecure ports.

Severity:

medium

Identifiers:

CCE-83813-6

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_insecure_port:def:1

Class:

compliance

Title:

Prevent Insecure Port Access

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["insecure-port"][:]' all: value equals '0'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_insecure_port:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted_and_ocp4.10_or_ocp4.6_or_ocp4.7_or_ocp4.8_or_ocp4.9
highpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_kubelet_certificate_authority

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To ensure OpenShift verifies kubelet certificates before establishing connections, follow the OpenShift documentation and setup the TLS connection between the API Server and kubelets. Edit the openshift-kube-apiserver configmap and set the below parameter if it is not already configured:
"apiServerArguments":{
  ...
  "kubelet-certificate-authority":"/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt",
  ...
Rationale:

Connections from the API Server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet port-forwarding functionality. These connections terminate at the kubelet HTTPS endpoint. By default, the API Server does not verify the kubelet serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.

Severity:

high

Identifiers:

CCE-84196-5

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-certificate-authority"]) | .apiServerArguments["kubelet-certificate-authority"][] | select(test("/etc/kubernetes/certs/kubelet-ca/ca.crt"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-certificate-authority"]) | .apiServerArguments["kubelet-certificate-authority"][] | select(test("{{.var_apiserver_kubelet_certificate_authority}}"))]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1118b118fc93b557cda9eb3f29584d2f92f5c3976f77dec35848eb54e0d819cc file.

OVAL definition:

Definition ID:

oval:ssg-api_server_kubelet_certificate_authority:def:1

Class:

compliance

Title:

Configure the kubelet Certificate Authority for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1118b118fc93b557cda9eb3f29584d2f92f5c3976f77dec35848eb54e0d819cc' at path '[:]' all: value equals '(.*?)'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_kubelet_certificate_authority:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
highpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To enable certificate based kubelet authentication, edit the config configmap in the openshift-kube-apiserver namespace and set the below parameter in the config.yaml key if it is not already configured:
"apiServerArguments":{
...
  "kubelet-client-certificate":"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt",
...
}
Rationale:

By default the API Server does not authenticate itself to the kubelet's HTTPS endpoints. Requests from the API Server are treated anonymously. Configuring certificate-based kubelet authentication ensures that the API Server authenticates itself to kubelets when submitting requests.

Severity:

high

Identifiers:

CCE-84080-1

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("/etc/kubernetes/certs/kubelet/tls.crt"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("{{.var_apiserver_kubelet_client_cert}}"))]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#e5500055b4aa2fcf00dc09ad0e66e44b6b42d67f8d53d1e72ff81b32f0e09865 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_kubelet_client_cert:def:1

Class:

compliance

Title:

Configure the kubelet Certificate File for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#e5500055b4aa2fcf00dc09ad0e66e44b6b42d67f8d53d1e72ff81b32f0e09865' at path '[:]' all: value equals '(.*?)'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_kubelet_client_cert:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted_and_ocp4.10_or_ocp4.11_or_ocp4.12_or_ocp4.13_or_ocp4.9
highnotapplicable

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert_pre_4_9

Result:

notapplicable

Time:

2023-10-15T17:57:57+00:00

Description:
To enable certificate based kubelet authentication, edit the config configmap in the openshift-kube-apiserver namespace and set the below parameter in the config.yaml key if it is not already configured:
"apiServerArguments":{
...
  "kubelet-client-certificate":"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt",
...
}
Note that this particular rule is only valid for OCP releases up to and
including 4.8
Rationale:

By default the API Server does not authenticate itself to the kubelet's HTTPS endpoints. Requests from the API Server are treated anonymously. Configuring certificate-based kubelet authentication ensures that the API Server authenticates itself to kubelets when submitting requests.

Severity:

high

Identifiers:

CCE-85890-2

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /api/v1/namespaces/openshift-kube-apiserver/configmaps/config API endpoint to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config file.

OVAL definition:

Definition ID:

oval:ssg-api_server_kubelet_client_cert_pre_4_9:def:1

Class:

compliance

Title:

Configure the kubelet Certificate File for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data["config.yaml"]' all: value equals '"kubelet-client-certificate":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"\]'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_kubelet_client_cert_pre_4_9:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted_and_ocp4.6_or_ocp4.7_or_ocp4.8
highpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To enable certificate based kubelet authentication, edit the config configmap in the openshift-kube-apiserver namespace and set the below parameter in the config.yaml key if it is not already configured:
"apiServerArguments":{
...
  "kubelet-client-key":"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key",
...
}
Rationale:

By default the API Server does not authenticate itself to the kubelet's HTTPS endpoints. Requests from the API Server are treated anonymously. Configuring certificate-based kubelet authentication ensures that the API Server authenticates itself to kubelets when submitting requests.

Severity:

high

Identifiers:

CCE-83591-8

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("/etc/kubernetes/certs/kubelet/tls.key"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("{{.var_apiserver_kubelet_client_key}}"))]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1e2b7c1158e0b9a602cb20d62c82b4660907bb57b63dac11c6c7c64211c49c69 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_kubelet_client_key:def:1

Class:

compliance

Title:

Configure the kubelet Certificate Key for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1e2b7c1158e0b9a602cb20d62c82b4660907bb57b63dac11c6c7c64211c49c69' at path '[:]' all: value equals '(.*?)'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_kubelet_client_key:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted_and_ocp4.10_or_ocp4.11_or_ocp4.12_or_ocp4.13_or_ocp4.9
highnotapplicable

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key_pre_4_9

Result:

notapplicable

Time:

2023-10-15T17:57:57+00:00

Description:
To enable certificate based kubelet authentication, edit the config configmap in the openshift-kube-apiserver namespace and set the below parameter in the config.yaml key if it is not already configured:
"apiServerArguments":{
...
  "kubelet-client-key":"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key",
...
}
Note that this particular rule is only valid for OCP releases up to and
including 4.8
Rationale:

By default the API Server does not authenticate itself to the kubelet's HTTPS endpoints. Requests from the API Server are treated anonymously. Configuring certificate-based kubelet authentication ensures that the API Server authenticates itself to kubelets when submitting requests.

Severity:

high

Identifiers:

CCE-90794-9

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /api/v1/namespaces/openshift-kube-apiserver/configmaps/config API endpoint to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config file.

OVAL definition:

Definition ID:

oval:ssg-api_server_kubelet_client_key_pre_4_9:def:1

Class:

compliance

Title:

Configure the kubelet Certificate Key for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data["config.yaml"]' all: value equals '"kubelet-client-key":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"\]'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_kubelet_client_key_pre_4_9:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted_and_ocp4.6_or_ocp4.7_or_ocp4.8
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_oauth_https_serving_cert

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
By default, the OpenShift OAuth API Server uses TLS. HTTPS should be used for connections between openshift-oauth-apiserver and kube-apiserver. By default, the OpenShift OAuth API Server uses Intermediate profile which requires a minimum TLS version of 1.2.
Rationale:

Connections between the kube-apiserver and the extension openshift-oauth-apiserver could potentially carry sensitive data such as secrets and keys. It is important to use in-transit encryption for any communication between the kube-apiserver and the extension openshift-apiserver.

Severity:

medium

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/apiservers/cluster API endpoint to the local /kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster file.

OVAL definition:

Definition ID:

oval:ssg-api_server_oauth_https_serving_cert:def:1

Class:

compliance

Title:

Ensure the openshift-oauth-apiserver service uses TLS

Description:

TLS security profile configured must use secure protocols in OpenShift OAuth API Server

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_oauth_https_serving_cert:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_openshift_https_serving_cert

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
By default, the OpenShift API Server uses TLS. HTTPS should be used for connections between openshift-apiserver and kube-apiserver. By default, the OpenShift OAuth API Server uses Intermediate profile which requires a minimum TLS version of 1.2.
Rationale:

Connections between the kube-apiserver and the extension openshift-apiserver could potentially carry sensitive data such as secrets and keys. It is important to use in-transit encryption for any communication between the kube-apiserver and the extension openshift-apiserver.

Severity:

medium

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/apiservers/cluster API endpoint to the local /kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster file.

OVAL definition:

Definition ID:

oval:ssg-api_server_openshift_https_serving_cert:def:1

Class:

compliance

Title:

Ensure the openshift-oauth-apiserver service uses TLS

Description:

TLS security profile configured must use secure protocols in OpenShift API Server

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_openshift_https_serving_cert:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_profiling_protected_by_rbac

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
Ensure that the cluster-debugger cluster role includes the /metrics resource URL. This demonstrates that profiling is protected by RBAC, with a specific cluster role to allow access.
Rationale:

Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. To ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to cluster-admin or cluster-debugger role. Profiling can not be disabled.

Severity:

medium

Identifiers:

CCE-84212-0

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger API endpoint to the local /kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger file.

OVAL definition:

Definition ID:

oval:ssg-api_server_profiling_protected_by_rbac:def:1

Class:

compliance

Title:

Profiling is protected by RBAC

Description:

In the YAML/JSON file '/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger' at path '.rules[0].nonResourceURLs[:]' at least one: value equals '\/metrics'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_profiling_protected_by_rbac:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_request_timeout

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
The API server minimum request timeout defines the minimum number of seconds a handler must keep a request open before timing it out. To set this, edit the openshift-kube-apiserver configmap and set min-request-timeout under the apiServerArguments field:
"apiServerArguments":{
  ...
  "min-request-timeout":[
    3600
  ],
  ...
Rationale:

Setting global request timeout allows extending the API Server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 1800 seconds which might not be suitable for some environments. Setting the limit too low may result in excessive timeouts, and a limit that is too large may exhaust the API Server resources making it prone to Denial-of-Service attack. It is recommended to set this limit as appropriate and change the default limit of 1800 seconds only if needed.

Severity:

medium

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_request_timeout:def:1

Class:

compliance

Title:

Configure the API Server Minimum Request Timeout

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["min-request-timeout"][:]' at least one: value equals '(\d*)'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_request_timeout:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_service_account_lookup

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
Validate service account before validating token.
Rationale:

If service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.

Severity:

medium

Identifiers:

CCE-83370-7

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_service_account_lookup:def:1

Class:

compliance

Title:

Ensure that the service-account-lookup argument is set to true

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["service-account-lookup"][:]' at least one: value equals 'true'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_service_account_lookup:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_service_account_public_key

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To ensure the API Server utilizes its own key pair, edit the openshift-kube-apiserver configmap and set the serviceAccountPublicKeyFiles parameter to the public key file for service accounts:
...
"serviceAccountPublicKeyFiles":[
  "/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs"
],
...
Rationale:

By default if no service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens are rotated as needed, a separate public/private key pair should be used for signing service account tokens.

Severity:

medium

Identifiers:

CCE-83350-9

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_service_account_public_key:def:1

Class:

compliance

Title:

Configure the Service Account Public Key for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.serviceAccountPublicKeyFiles[:]' at least one: value equals '.+'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_service_account_public_key:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_tls_cert

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To ensure the API Server utilizes its own TLS certificates, the tls-cert-file must be configured. Verify that the apiServerArguments section has the tls-cert-file configured in the config configmap in the openshift-kube-apiserver namespace similar to:
"apiServerArguments":{
...
"tls-cert-file": [
  "/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"
],
...
}
Rationale:

API Server communication contains sensitive parameters that should remain encrypted in transit. Configure the API Server to serve only HTTPS traffic.

Severity:

medium

Identifiers:

CCE-83779-9

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["tls-cert-file"]) | .apiServerArguments["tls-cert-file"][] | select(test("/etc/kubernetes/certs/server/tls.crt"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["tls-cert-file"]) | .apiServerArguments["tls-cert-file"][] | select(test("{{.var_apiserver_tls_cert}}"))]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#bca394347bab5b9902f1d1568d4f5d6e5498b01ec27ddf8231443e376b18757d file.

OVAL definition:

Definition ID:

oval:ssg-api_server_tls_cert:def:1

Class:

compliance

Title:

Configure the Certificate for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#bca394347bab5b9902f1d1568d4f5d6e5498b01ec27ddf8231443e376b18757d' at path '[:]' all: value equals '(.*?)'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_tls_cert:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To ensure that the API Server is configured to only use strong cryptographic ciphers, verify the openshift-kube-apiserver configmap contains the following set of ciphers, with no additions:
"servingInfo":{
  ...
  "cipherSuites": [
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
  ],
  ...
Rationale:

TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided. By default, OpenShift supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided.

Severity:

medium

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430 file.

Management warning
Once configured, API Server clients that cannot support modern cryptographic ciphers will not be able to make connections to the API server.

OVAL definition:

Definition ID:

oval:ssg-api_server_tls_cipher_suites:def:1

Class:

compliance

Title:

Use Strong Cryptographic Ciphers on the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.servingInfo.cipherSuites[:]' all: value equals 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_tls_cipher_suites:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_tls_private_key

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To ensure the API Server utilizes its own TLS certificates, the tls-private-key-file must be configured. Verify that the apiServerArguments section has the tls-private-key-file configured in the config configmap in the openshift-kube-apiserver namespace similar to:
"apiServerArguments":{
...
"tls-private-key-file": [
  "/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"
],
...
}
Rationale:

API Server communication contains sensitive parameters that should remain encrypted in transit. Configure the API Server to serve only HTTPS traffic.

Severity:

medium

Identifiers:

CCE-84282-3

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["tls-private-key-file"]) | .apiServerArguments["tls-private-key-file"][] | select(test("/etc/kubernetes/certs/server/tls.key"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["tls-private-key-file"]) | .apiServerArguments["tls-private-key-file"][] | select(test("{{.var_apiserver_tls_private_key}}"))]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c69c1fe6742f70a3a16c09461f57a19ef2a695143301cede2f2f5d307aa3508 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_tls_private_key:def:1

Class:

compliance

Title:

Configure the Certificate Key for the API Server

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c69c1fe6742f70a3a16c09461f57a19ef2a695143301cede2f2f5d307aa3508' at path '[:]' all: value equals '(.*?)'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_tls_private_key:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
highpass

Rule ID:

xccdf_org.ssgproject.content_rule_api_server_token_auth

Result:

pass

Time:

2023-10-15T17:57:57+00:00

Description:
To ensure OpenShift does not accept token-based authentication, follow the OpenShift documentation and configure alternate mechanisms for authentication. Then, edit the API Server pod specification file Edit the openshift-kube-apiserver configmap and remove the token-auth-file parameter:
"apiServerArguments":{
  ...
  "token-auth-file":[
    "/path/to/any/file"
  ],
  ...
Rationale:

The token-based authentication utilizes static tokens to authenticate requests to the API Server. The tokens are stored in clear-text in a file on the API Server, and cannot be revoked or rotated without restarting the API Server.

Severity:

high

Identifiers:

CCE-83481-2

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson]{{else}}[.data."config.yaml" | fromjson]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145 file.

OVAL definition:

Definition ID:

oval:ssg-api_server_token_auth:def:1

Class:

compliance

Title:

Disable Token-based Authentication

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["enable-admission-plugins"][:]' all: value equals '^token-auth-file$'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-api_server_token_auth:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumfail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_log_forwarding_enabled

Result:

fail

Time:

2023-10-15T17:57:57+00:00

Description:
OpenShift audit works at the API server level, logging all requests coming to the server. Audit is on by default and the best practice is to ship audit logs off the cluster for retention. The cluster-logging-operator is able to do this with the
ClusterLogForwarders
resource. The forementioned resource can be configured to logs to different third party systems. For more information on this, please reference the official documentation: https://docs.openshift.com/container-platform/4.6/logging/cluster-logging-external.html
Rationale:

Retaining logs ensures the ability to go back in time to investigate or correlate any events. Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to tamper with the logs because of the logs being stored off-site.

Severity:

medium

Identifiers:

CCE-84076-9

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance API endpoint to the local /kubernetes-api-resources/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance file. true

OVAL definition:

Definition ID:

oval:ssg-audit_log_forwarding_enabled:def:1

Class:

compliance

Title:

Ensure that Audit Log Forwarding Is Enabled

Description:

In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance' at path 'spec.pipelines[:].inputRefs[:]' at least one: value equals 'audit'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-audit_log_forwarding_enabled:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift_and_not_ocp4-on-hypershift-hosted
mediumnotapplicable

Rule ID:

xccdf_org.ssgproject.content_rule_audit_log_forwarding_webhook

Result:

notapplicable

Time:

2023-10-15T17:57:57+00:00

Description:
Audit is on by default and the best practice is to ship audit logs off an cluster for retention. HyperShift is able to do this with the a audit webhook, which is configured in the HostedCluster custom resource. The forementioned resource can be configured to log to different third party systems. For more information on this, please reference the official documentation: https://hypershift-docs.netlify.app/reference/api/
Rationale:

Retaining logs ensures the ability to go back in time to investigate or correlate any events. Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to tamper with the logs because of the logs being stored off-site.

Severity:

medium

Identifiers:

CCE-86103-9

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • /apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}} API endpoint, filter with with the jq utility using the following filter .spec and persist it to the local /kubernetes-api-resources/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#916d614f6293c0b742a5e71ac156259606d6735ca783595a3548858d747aa053 file. true

OVAL definition:

Definition ID:

oval:ssg-audit_log_forwarding_webhook:def:1

Class:

compliance

Title:

Ensure that Audit Log Webhook Is Configured

Description:

In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#916d614f6293c0b742a5e71ac156259606d6735ca783595a3548858d747aa053' at path '.auditWebhook' at least one: value equals '.*'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-audit_log_forwarding_webhook:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#ocp4-on-hypershift
mediumfail

Rule ID:

xccdf_org.ssgproject.content_rule_audit_profile_set

Result:

fail

Time:

2023-10-15T17:57:59+00:00

Description:

OpenShift can audit the details of requests made to the API server through the standard Kubernetes audit capabilities.

In OpenShift, auditing of the API Server is on by default. Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators, or other components of the system. Audit works at the API server level, logging all requests coming to the server. Each audit log contains two entries:

The request line containing:

  • A Unique ID allowing to match the response line (see #2)
  • The source IP of the request
  • The HTTP method being invoked
  • The original user invoking the operation
  • The impersonated user for the operation (self meaning himself)
  • The impersonated group for the operation (lookup meaning user's group)
  • The namespace of the request or none
  • The URI as requested

The response line containing:

  • The aforementioned unique ID
  • The response code

For more information on how to configure the audit profile, please visit the documentation

Rationale:

Logging is an important detective control for all systems, to detect potential unauthorised access.

Severity:

medium

Identifiers:

CCE-83577-7

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/apiservers/cluster API endpoint to the local /kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster file.

Remediation Kubernetes snippet
---
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  name: cluster
spec:
  audit:
    profile: {{.var_openshift_audit_profile}}

OVAL definition:

Definition ID:

oval:ssg-audit_profile_set:def:1

Class:

compliance

Title:

Ensure that the cluster's audit profile is properly set

Description:

In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path 'spec.audit.profile' all:

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-audit_profile_set:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
highpass

Rule ID:

xccdf_org.ssgproject.content_rule_configure_network_policies

Result:

pass

Time:

2023-10-15T17:57:59+00:00

Description:
There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster. OpenShift supports Kubernetes NetworkPolicy using a Kubernetes Container Network Interface (CNI) plug-in.
Rationale:

Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies.

Severity:

high

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • /apis/operator.openshift.io/v1/networks/cluster API endpoint, filter with with the jq utility using the following filter [.spec.defaultNetwork.type] and persist it to the local /kubernetes-api-resources/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498 file.

OVAL definition:

Definition ID:

oval:ssg-configure_network_policies:def:1

Class:

compliance

Title:

Ensure that the CNI in use supports Network Policies

Description:

In the YAML/JSON file '/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498' at path '[:]' all: value equals 'OpenShiftSDN|OVN|Calico'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-configure_network_policies:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift
highnotapplicable

Rule ID:

xccdf_org.ssgproject.content_rule_configure_network_policies_hypershift_hosted

Result:

notapplicable

Time:

2023-10-15T17:57:59+00:00

Description:
Use network policies to isolate traffic in your cluster network.
Rationale:

Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace all traffic will be allowed into and out of the pods in that namespace.

Severity:

high

Identifiers:

CCE-86104-7

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • /apis/networking.k8s.io/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/networkpolicies API endpoint, filter with with the jq utility using the following filter [.items[] | .metadata.name] and persist it to the local /kubernetes-api-resources/apis/networking.k8s.io/v1/namespaces/networkpolicies#08ccf6ea6e29d378349cc36918df58d5e6172cd458ede2bf03fe4266ee1b6d6a file.

OVAL definition:

Definition ID:

oval:ssg-configure_network_policies_hypershift_hosted:def:1

Class:

compliance

Title:

Ensure that HyperShift Hosted Namespaces have Network Policies defined.

Description:

In the YAML/JSON file '/apis/networking.k8s.io/v1/namespaces/networkpolicies#08ccf6ea6e29d378349cc36918df58d5e6172cd458ede2bf03fe4266ee1b6d6a' at path '[:]' all: value equals '(.*?)'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-configure_network_policies_hypershift_hosted:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#ocp4-on-hypershift
highfail

Rule ID:

xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces

Result:

fail

Time:

2023-10-15T17:57:59+00:00

Description:
Use network policies to isolate traffic in your cluster network.
Rationale:

Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace all traffic will be allowed into and out of the pods in that namespace.

Severity:

high

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • /apis/networking.k8s.io/v1/networkpolicies API endpoint, filter with with the jq utility using the following filter [.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique and persist it to the local /kubernetes-api-resources/apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300 file.
  • /api/v1/namespaces API endpoint, filter with with the jq utility using the following filter [.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")] and persist it to the local /kubernetes-api-resources/api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d file.

OVAL definition:

Definition ID:

oval:ssg-configure_network_policies_namespaces:def:1

Class:

compliance

Title:

Ensure that application Namespaces have Network Policies defined.

Description:

Ensure that application Namespaces have Network Policies defined

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-configure_network_policies_namespaces:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift
lowpass

Rule ID:

xccdf_org.ssgproject.content_rule_controller_insecure_port_disabled

Result:

pass

Time:

2023-10-15T17:57:58+00:00

Description:
To ensure the Controller Manager service is bound to secure loopback address and a secure port, set the RotateKubeletServerCertificate option to true in the openshift-kube-controller-manager configmap on the master node(s):
"extendedArguments": {
...
  "port": ["0"],
...
It is also acceptable for a system to deprecate the insecure port:
"extendedArguments": {
...
...
Rationale:

The Controller Manager API service is used for health and metrics information and is available without authentication or encryption. As such, it should only be bound to a localhost interface to minimize the cluster's attack surface.

Severity:

low

Identifiers:

CCE-83578-5

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--port=[1-9]*[1-9]+") )] | length | if . == 0 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["port"]!=null then .extendedArguments["port"]==["0"] else true end]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#9f09cca56dc1e9f9605eb5a94aed74de554fd209513a9222e4fe9c0ed669aeee file.

OVAL definition:

Definition ID:

oval:ssg-controller_insecure_port_disabled:def:1

Class:

compliance

Title:

Ensure Controller insecure port argument is unset

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#9f09cca56dc1e9f9605eb5a94aed74de554fd209513a9222e4fe9c0ed669aeee' at path '[:]' all: value equals 'true'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-controller_insecure_port_disabled:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
lowpass

Rule ID:

xccdf_org.ssgproject.content_rule_controller_secure_port

Result:

pass

Time:

2023-10-15T17:57:58+00:00

Description:
To ensure the Controller Manager service is bound to secure loopback address using a secure port, set the RotateKubeletServerCertificate option to true in the openshift-kube-controller-manager configmap on the master node(s):
"extendedArguments": {
...
  "secure-port": ["10257"],
...
Rationale:

The Controller Manager API service is used for health and metrics information and is available without authentication or encryption. As such, it should only be bound to a localhost interface to minimize the cluster's attack surface.

Severity:

low

Identifiers:

CCE-83861-5

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--secure-port=10257") )] | length | if . ==1 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["secure-port"][]=="10257" then true else false end]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#8241ce1009dc5dd166436d0311b60b96aa3a2f591ba43a26e2b9d0bfc9071414 file.

OVAL definition:

Definition ID:

oval:ssg-controller_secure_port:def:1

Class:

compliance

Title:

Ensure Controller secure-port argument is set

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#8241ce1009dc5dd166436d0311b60b96aa3a2f591ba43a26e2b9d0bfc9071414' at path '[:]' at least one: value equals 'true'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-controller_secure_port:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_controller_service_account_ca

Result:

pass

Time:

2023-10-15T17:57:58+00:00

Description:
To ensure the API Server utilizes its own key pair, set the masterCA parameter to the public key file for service accounts in the openshift-kube-controller-manager configmap on the master node(s):
"extendedArguments": {
...
  "root-ca-file": [
    "/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt"
  ],
...
Rationale:

Service accounts authenticate to the API using tokens signed by a private RSA key. The authentication layer verifies the signature using a matching public RSA key. Configuring the certificate authority file ensures that the API server's signing certificates are validated.

Severity:

medium

Identifiers:

CCE-84244-3

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--root-ca-file") )] | length | if . ==1 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["root-ca-file"]!=null then true else false end]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#e27218fb5fb7cd68a9911eb2db6bf715ca959f639e56cb60f90be782ddd7fcf8 file.

OVAL definition:

Definition ID:

oval:ssg-controller_service_account_ca:def:1

Class:

compliance

Title:

Configure the Service Account Certificate Authority Key for the Controller Manager

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#e27218fb5fb7cd68a9911eb2db6bf715ca959f639e56cb60f90be782ddd7fcf8' at path '[:]' at least one: value equals 'true'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-controller_service_account_ca:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted
mediumpass

Rule ID:

xccdf_org.ssgproject.content_rule_controller_service_account_private_key

Result:

pass

Time:

2023-10-15T17:57:58+00:00

Description:
To ensure the API Server utilizes its own key pair, set the privateKeyFile parameter to the public key file for service accounts in the openshift-kube-controller-manager configmap on the master node(s):
"extendedArguments": {
...
  "service-account-private-key-file": [
    "/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key"
  ],
...
Rationale:

By default if no private key file is specified to the API Server, the API Server uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens.

Severity:

medium

Identifiers:

CCE-83526-4

References:

Warnings:

General warning
This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • {{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--service-account-private-key-file") )] | length | if . ==1 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["service-account-private-key-file"]!=null then true else false end]{{end}} and persist it to the local /kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#407a17f0f401ae8c92955bc382bc80ee34a9afd51ab787e405bf524d03ebf3c8 file.

OVAL definition:

Definition ID:

oval:ssg-controller_service_account_private_key:def:1

Class:

compliance

Title:

Configure the Service Account Private Key for the Controller Manager

Description:

In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#407a17f0f401ae8c92955bc382bc80ee34a9afd51ab787e405bf524d03ebf3c8' at path '[:]' at least one: value equals 'true'

Class explained:

Compliance class describes OVAL Definitions that check to see if a system's state is compliant with a specific policy. An evaluation result of "true", for this class of OVAL Definitions, indicates that a system is compliant with the stated policy.

Version:

1

OVAL graph of OVAL definition: oval:ssg-controller_service_account_private_key:def:1

Applicability checks:

CPE platform required by profile:
cpe:/a:redhat:openshift_container_platform_on_sdn:4 Profile platform
cpe:/a:redhat:openshift_container_platform:4.13 Profile platform
cpe:/a:redhat:openshift_container_platform:4.1 Profile platform
CPE platform required by rule:
#not_ocp4-on-hypershift-hosted